Comments on: Stealing Pictures with Picasa

By: Ryan Naraine’s Zero Day mobile edition

Ryan Naraine’s Zero Day mobile edition — Sat, 24 Nov 2007 02:18:54 +0000

[...] Unfortunately, URIs are also accessible to attackers through cross-site scripting (XSS), so an attacker can XSS a Picasa user, load Flash which doesn’t do DNS pinning (this JUST missed our list), and then steal the user’s images without any interaction or confirmation. [...]

By: Marcin

Marcin — Mon, 29 Oct 2007 17:58:16 +0000

Hey Nate.. we met at San Diego airport and talked for a bit. We were both headed to Phoenix. Anyways, I couldn’t find an email address and I didn’t want to go “searching” for one, so I thought I’d post a comment here and hope you would respond to the email address I left. You can delete this comment

By: Info World » Blog Archive » Microsoft bows to criticism, will fix Window’s URI security flaw

Thu, 11 Oct 2007 17:47:19 +0000

[...] example, it would be impossible for Microsoft to fix a recent Picasa flaw discovered by McFeters and Researcher Billy Rios. "The Picasa flaw is based on the [...]

By: Info World » Blog Archive » Microsoft to fix Window’s URI security flaw after criticism

Thu, 11 Oct 2007 11:15:07 +0000

[...] example, it would be impossible for Microsoft to fix a recent Picasa flaw discovered by McFeters and Researcher Billy Rios. "The Picasa flaw is based on the [...]

By: A rough week for Google security — Security Bytes

A rough week for Google security — Security Bytes — Fri, 28 Sep 2007 00:12:15 +0000

[...] A Picasa exploit discovered by researchers Billy Rios and Nate McFeters that leverages a combination of XSS, cross [...]

By: Nuove vulnerabilità per i servizi Google « APNIBI blog

Nuove vulnerabilità per i servizi Google « APNIBI blog — Wed, 26 Sep 2007 15:02:20 +0000

[...] scripting bug affligge invece il servizio aziendale Google Search Appliance mentre Google Picasa risulta essere vulnerabile ad un exploit in grado di permettere ad un cracker di prelevare delle immagini [...]

By: rcarter

rcarter — Wed, 26 Sep 2007 14:21:34 +0000

yeah, i’m pretty happy with how it turned out too. the PoC is finally functioning correctly. the thing that was the toughest to get working reliably was the dns rebinding/anti-dns pinning. from everything i’ve read, flash does dns binding and *should* respect the ttl it receives but doesn’t seem to. by comparison the rest was pretty easy.

By: Nathan McFeters

Nathan McFeters — Wed, 26 Sep 2007 02:34:29 +0000

Actually sjovan, there’s a high likelihood this is vulnerable in Nix too, or at the very least attacks like it. I’ve mentioned numerous times now that *Nix has registered URI’s as well.

This is one of my favorite attacks that we’ve pulled off. Lot’s of dynamic pieces.

By: sjovan

sjovan — Tue, 25 Sep 2007 22:59:24 +0000

and then you install linux and stop bothering about stuff like this. good application btw

By: Awesome AnDrEw

Awesome AnDrEw — Tue, 25 Sep 2007 22:05:02 +0000

It is way more work than I could say I would ever think of doing, but the proof of concept was very nice work. I love how you always tie everything together like that.